0fd805837fd0b1c196df557e1d44a6cc353f61839e84bd62677307f24a66ded9

General

Target

563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe
Size

1.8MB
MD5

563737b34e7de80cfed7667cc559b9b0
SHA1

16dfedbbe60a48f4a74f6407072c2bab8b62858d
SHA256

0fd805837fd0b1c196df557e1d44a6cc353f61839e84bd62677307f24a66ded9
SHA512

1aeb8b089e20fb2af16cc6ea3e5b89cf17132e34361a332e4136422944f4e740a577200261c41097de490f111e5e1ca3d6e6642620c8abb930f0cfbb6e8d762a
SSDEEP

24576:8s3eNqfZ+KTiNRpz3TtcBfadBmwBIC1U2OiSxYgfje135XGBqVBCejz3/xWVZ+pk:5ecf4/5tJdBmEnvvgLe13xJjzkB+O

Score

7^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5000	wrar400d.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrar400d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5000	wrar400d.exe
5000	wrar400d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 5000	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	87
PID 4800 wrote to memory of 5000	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	87
PID 4800 wrote to memory of 5000	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	87
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88
PID 4800 wrote to memory of 4996	4800	563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\wrar400d.exe
  "C:\Users\Admin\AppData\Local\Temp\wrar400d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\563737b34e7de80cfed7667cc559b9b0_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wrar400d.exe

Filesize
1.5MB

MD5
66f7f03154b35a3a28e42f722b2c7d23

SHA1
0b718ed7e0bc91651bb90832e889a515b650cafe

SHA256
dd706256edf085627f83c31fdb951c8bfaf1ab1f9491f381735b27c09aa731a5

SHA512
2f1318171e2ad4feb54dd7fec83ab771b90fe9b949bbdef74258be29c4e9411b20b587dc20f82fe1e69a7d3f3206f52daffa5f2929c28bfa1ba903621f34ac0f

Download Submit
memory/4800-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4800-15-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4996-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4996-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4996-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing